Assessment Playbooks
Maturity Model
Use the maturity model to turn discovery findings into a shared view of risk and sequencing. Scores are not grades; they are backlog inputs.
Scoring levels
| Level | Meaning |
|---|---|
| 1 | Ad hoc, manual, undocumented, or hero-driven |
| 2 | Repeatable in pockets, but inconsistent across teams |
| 3 | Defined standard with known owners and partial automation |
| 4 | Automated, measured, and adopted by most teams |
| 5 | Continuously improved with clear evidence and feedback loops |
Assessment dimensions
Score each domain independently.
- Delivery safety: tests, approvals, rollout, rollback, and release visibility.
- Infrastructure control: infrastructure-as-code, drift detection, state ownership, and review process.
- Security posture: identity, secrets, vulnerability management, policy, and least privilege.
- Reliability: observability, SLOs, incident response, capacity, and recovery.
- Developer experience: onboarding, local workflow, paved roads, and support quality.
- Governance: audit evidence, exceptions, ownership, and control mapping.
- Cost: allocation, tagging, budget alerts, and optimization cadence.
Assessment output
Using scores
- Prioritize low maturity in high-impact systems first.
- Convert each low score into a concrete risk statement.
- Avoid averaging scores across unrelated domains.
- Reassess after major releases, incidents, or platform changes.
- Use evidence from systems of record rather than opinion alone.
A score without evidence is a conversation starter, not a conclusion.